Transmitting packets from device in network communications with other device utilizing multiple virtual network connections

ABSTRACT

A method includes detecting, at a device, a request for a network connection from an application running on the device; spawning first and second virtual machines for network connections that virtualize network capabilities of the device such that first and second virtual network connections are provided; using the first virtual network connection, establishing a first connection with another device over a first path; using the second virtual connection, establishing a second connection with the other device over a second path; determining that the second path represents a trusted path; determining that a first packet does not need to be routed via a trusted connection; transmitting the first packet using the first virtual network connection for communication via the first path; determining that a second packet needs to be routed via a trusted connection; and transmitting the second packet using the second virtual network connection for communication via the second path.

CROSS-REFERENCE TO RELATED APPLICATION

The present application is a U.S. continuation of, and claims priorityunder 35 U.S.C. §120 to, U.S. patent application Ser. No. 12/499,075,filed Jul. 7, 2009, which '075 application published as US 2010/0009758,and which '075 application is a continuation-in-part patent applicationof, and claims priority under 35 U.S.C. §120 to, U.S. patent applicationSer. No. 12/253,926, filed Oct. 17, 2008, which '926 applicationpublished as US 2009/0106439 and issued as U.S. Patent 7,895,348, andwhich '926 application is a nonprovisional patent application of, andclaims priority under 35 U.S.C. §119(e) to, each of U.S. provisionalpatent application 60/999,603 filed Oct. 17, 2007 and U.S. provisionalpatent application 61/133,935 filed Jul. 7, 2008; and which '075application is a nonprovisional patent application of, and claimspriority under §119(e) to, U.S. provisional patent application61/133,935. The disclosure of the '603 application is set forth inAppendix A hereof, and the disclosure of the '935 application is setforth in Appendix B hereof. The disclosures of these Appendices as wellas the priority applications and the patent application publications areincorporated herein by reference.

Additionally, several white papers and other disclosure documentsdescribing aspects and features in accordance with one or more preferredembodiments of the present invention are attached hereto as Appendix C,and the disclosure contained in this Appendix is hereby incorporatedherein by reference.

COPYRIGHT STATEMENT

All of the material in this patent document, including the computerprogram listing, is subject to copyright protection under the copyrightlaws of the United States and other countries. The copyright owner hasno objection to the facsimile reproduction by anyone of the patentdocument or the patent disclosure, as it appears in officialgovernmental records but, otherwise, all other copyright rightswhatsoever are reserved.

Computer Program Listing

Submitted concurrently herewith via the USPTO's electronic filingsystem, and incorporated herein by reference, is a computer programlisting illustrating instructions, routines, and/or other contents of acomputer program.

The computer program listing is for three computer file(s) thatrepresents an embodiment of the invention. A table setting forth thename and size of each file included in the computer program listing isprovided below.

TABLE 1 File Name Creation Date Size in Bytes ASCIFY.txt 9/19/2011 16:1737473 CODE.TXT 9/19/2011 16:18 527580 readme.txt 9/19/2011 16:17 2573

One of these files, “readme.txt”, contains instructions for utilizing asecond of the files, “ascify.txt”, to extract information from the otherfile, “code.txt”. The other file is a compressed binary file that hasbeen converted to ascii format. This file can be converted back tobinary format utilizing an assembly conversion program source code forwhich is contained in “ascify.txt”. The readme file includesinstructions for compiling and running this conversion program, as wellas instructions for converting the other text file to a compressed,binary file. The compressed, binary file includes files forming two setsof files for one or more computer programs.

The first set of files includes fifty-nine (59) computer files that maybe utilized in accordance with an embodiment of the present invention.These files include source code written in C. These files are for aprogram that represents a proof of concept of routing at a clientcomputer. The target hardware for this implementation includes a managedswitch, two (2) Cisco® routers, and three (3) computers miming Linux.Additionally, submitted concurrently herewith via the USPTO's electronicfiling system, and incorporated herein by reference, is a computerprogram listing illustrating instructions, routines, and/or othercontents of another computer program.

The second set of files includes one hundred and twenty eight (128)computer files comprising software for a server and a client that may beutilized in accordance with an embodiment of the present invention. Thesecond computer program listing includes source code written in C. Thesefiles are for an exemplary implementation which includes client softwareconfigured to be executed on a standard personal computer runningWindows, and server software configured to be executed on a standardLinux server.

BACKGROUND OF THE INVENTION

The present invention generally relates to network routing and networkcommunications.

Conventional networks, such as the Internet, rely heavily on centralizedrouters to perform routing tasks in accomplishing networkcommunications. The vulnerability and fragility of these conventionalnetworks make entities feel insecure about using them. There exist needsfor improvement in network routing. One or more of these needs areaddressed by one or more aspects of the present invention.

SUMMARY OF THE INVENTION

The present invention includes many aspects and features. Moreover,while many aspects and features relate to, and are described in, thecontext of network routing and network communications associated withthe Internet, the present invention is not limited to use only inconjunction with the Internet and is applicable in other networkedsystems not associated with the Internet, as will become apparent fromthe following summaries and detailed descriptions of aspects, features,and one or more embodiments of the present invention.

Indeed, each of the independent claims as filed herewith represents anaspect of the invention and each dependent claim represents a feature ofsuch aspect. In addition, it should be noted that the present inventionfurther encompasses the various possible combinations andsubcombinations of such aspects and features, including those relatingto network routing and those relating to network communications.

A first network routing aspect of the present invention relates to acomputer arranged in electronic communication with one or more computernetworks, the computer running an operating system and running aplurality of applications, each of the applications programmed tocommunicate over a computer network. The computer is characterized inthat, the computer performs a method comprising the steps of, for eachapplication, creating, for such application, a virtual machine that isconfigured to send and receive communications over a computer network;determining, for such application, a network protocol out of a pluralityof available network protocols, the determined network protocolrepresenting an appropriate network protocol, out of the plurality ofavailable network protocols, for current communication requirements ofthe application; and causing the application, when communicating overthe network, to send and receive communications via the created virtualmachine using the determined network protocol. Multiple virtual machineinstances are created and simultaneously maintained by the computer,each virtual machine instance handling communications of one of theplurality of applications via a networking protocol that has beendetermined to be appropriate for the current communication requirementsof the application.

In a feature of one or more aspects of the invention, the computerperforms the method by executing a virtual dispersive routing program.

In a feature of one or more aspects of the invention, the computer is apersonal computer.

In a feature of one or more aspects of the invention, the computer is apersonal desktop computer.

In a feature of one or more aspects of the invention, the computer is apersonal laptop or notebook computer.

In a feature of one or more aspects of the invention, the plurality ofapplications includes an email application, an internet browserapplication, and a streaming audio or video application.

In a feature of one or more aspects of the invention, the plurality ofapplications include a computer game.

In a feature of one or more aspects of the invention, the plurality ofapplications includes a massive multiplayer online role playing game.

In a feature of one or more aspects of the invention, the plurality ofapplications includes a video game.

In a feature of one or more aspects of the invention, the computer is avideo game console.

In a feature of one or more aspects of the invention, the computercomprises a plurality of processing cores.

In a feature of one or more aspects of the invention, the computercomprises a plurality of processing cores, and wherein the computerperforms the method by executing a multi-core virtual dispersive routingprogram.

In a feature of one or more aspects of the invention, differentcommunication requirements differ at least in terms of maximum latencyrequirements and minimum bandwidth requirements.

Another aspect of the present invention relates to a method of providingnetwork communications. The method includes detecting, at a device, arequest for a network connection from an application running on thedevice; spawning a first virtual machine for a network connection thatvirtualizes network capabilities of the device such that a first virtualnetwork connection is provided; spawning a second virtual machine for anetwork connection that virtualizes network capabilities of the devicesuch that a second virtual network connection is provided; using thefirst virtual network connection, establishing a first connection withanother device over a first network path; using the second virtualconnection, establishing a second connection with the other device overa second network path; determining that the second network pathrepresents a trusted path; determining that a first packet does not needto be routed via a trusted connection; transmitting the first packetusing the first virtual network connection for communication via thefirst network path; determining that a second packet needs to be routedvia a trusted connection; and transmitting the second packet using thesecond virtual network connection for communication via the secondnetwork path.

In a feature of this aspect, the step of transmitting the first packetusing the first virtual network connection for communication via thefirst network path is performed at least partially in response to thestep of determining that the first packet does not need to be routed viaa trusted connection.

In a feature of this aspect, the step of transmitting the second packetusing the second virtual network connection for communication via thesecond network path is performed at least partially in response to thestep of determining that the second packet needs to be routed via atrusted connection.

In a feature of this aspect, the first virtual machine is spawned inresponse to the request for a network connection from the applicationrunning on the device.

In a feature of this aspect, the second virtual machine is spawned inresponse to the request for a network connection from the applicationrunning on the device.

In a feature of this aspect, the step of establishing a first connectionwith another device over a first network path comprises selecting afirst routing protocol from among a plurality of available routingprotocols. In at least some implementations, the plurality of availablerouting protocols includes the Interior Gateway Routing Protocol (IGRP),the Enhanced Interior Gateway Routing Protocol (EIGRP), the BorderGateway Protocol (BGP), and the Constrained Shortest Path First (CSPF)protocol. In at least some implementations, the step of transmitting thefirst packet using the first virtual network connection forcommunication via the first network path comprises transmitting thefirst packet using the first virtual machine with the selected firstrouting protocol.

In a feature of this aspect, the step of establishing a first connectionwith another device over a first network path comprises selecting aninitial node of the first network path. In at least someimplementations, the selection of an initial node is based at leastpartially on network information stored at the device. In at least someimplementations, the method further includes a step of querying one ormore nodes of a network for network information. In at least someimplementations, the method further includes receiving the networkinformation from the one or more nodes and generating a routing tablebased on the network information.

In a feature of this aspect, the application is a computer game.

In a feature of this aspect, the device comprises a computer. In atleast some implementations, the computer includes a plurality ofprocessing cores.

In a feature of this aspect, the device is a mobile phone.

Another aspect of the present invention relates to a method of providingnetwork communications. The method includes determining, at a deviceusing application-specific information associated with an applicationrunning on the device, that a first packet needs to be transmitted via atrusted path, and, in response to such determination, transmitting thefirst packet to another device over a first network path via a firstvirtual network connection that virtualizes network capabilities of thedevice; and determining, at the device using application-specificinformation associated with an application running on the device, that asecond packet does not need to be transmitted via a trusted path, and,in response to such determination, transmitting the second packet toanother device over a second network path via a second virtual networkconnection that virtualizes network capabilities of the device.

In a feature of this aspect, the device is a computer.

In a feature of this aspect, the device is a mobile phone.

Another aspect of the present invention relates to a device. The deviceincludes a processor; one or more network adapters providing networkcapabilities; and one or more computer readable media containingcomputer executable instructions. The compute executable instructionsare configured to determine, at a device using application-specificinformation associated with an application running on the device, that afirst packet needs to be transmitted via a trusted path, and, inresponse to such determination, transmitting the first packet to anotherdevice over a first network path via a first virtual network connectionthat virtualizes network capabilities of the one or more networkadapters of the device; and determine, at the device usingapplication-specific information associated with an application runningon the device, that a second packet does not need to be transmitted viaa trusted path, and, in response to such determination, transmitting thesecond packet to another device over a second network path via a secondvirtual network connection that virtualizes network capabilities of theone or more network adapters of the device.

Another network routing aspect of the present invention relates to acomputer arranged in electronic communication with one or more computernetworks, the computer running an operating system and running aplurality of applications, each of the applications programmed tocommunicate over a computer network. The computer is characterized inthat, the computer performs a method comprising the steps of, for eachapplication, (a) creating, for such application, a first virtual machinethat is configured to send and receive communications over the computernetwork; determining, for such application, a first network protocol outof a plurality of available network protocols, the first networkprotocol representing an appropriate network protocol, out of theplurality of available network protocols, for a first set ofcommunication requirements of the application; and causing theapplication, when communicating over the network under the first set ofcommunication requirements of the application, to send and receivecommunications via the first virtual machine using the first networkprotocol; and (b) creating, for such application, a second virtualmachine that is configured to send and receive communications over thecomputer network, the second virtual machine being a separate virtualmachine from that of the first virtual machine; determining, for suchapplication, a second network protocol out of a plurality of availablenetwork protocols, the second network protocol representing anappropriate network protocol, out of the plurality of available networkprotocols, for a second set of communication requirements of theapplication, the second set of communication requirements beingdifferent from the first set; and causing the application, whencommunicating over the network under the second set of communicationrequirements of the application, to send and receive communications viathe second virtual machine using the second network protocol. Multiplevirtual machine instances are created and simultaneously maintained bythe computer for each of the plurality of applications, each virtualmachine instance handling communications under a set of communicationrequirements of one of the plurality of applications via a networkingprotocol that has been determined to be appropriate for such set ofcommunication requirements of the application.

In a feature of one or more aspects of the invention, the computerperforms the method by executing a virtual dispersive routing program.

In a feature of one or more aspects of the invention, the computer is apersonal computer.

In a feature of one or more aspects of the invention, the computer is apersonal desktop computer.

In a feature of one or more aspects of the invention, the computer is apersonal laptop or notebook computer.

In a feature of one or more aspects of the invention, the plurality ofapplications includes an email application, an internet browserapplication, and a streaming audio or video application.

In a feature of one or more aspects of the invention, the plurality ofapplications includes a computer game.

In a feature of one or more aspects of the invention, the plurality ofapplications includes a massive multiplayer online role playing game.

In a feature of one or more aspects of the invention, the plurality ofapplications includes a video game.

In a feature of one or more aspects of the invention, the computer is avideo game console.

In a feature of one or more aspects of the invention, the computercomprises a plurality of processing cores.

In a feature of one or more aspects of the invention, the computercomprises a plurality of processing cores, and wherein the computerperforms the method by executing a multi-core virtual dispersive routingprogram.

In a feature of one or more aspects of the invention, differentcommunication requirements differ at least in terms of maximum latencyrequirements and minimum bandwidth requirements.

Another network routing aspect of the present invention relates to amethod of routing data over a network at a client device usingvirtualization. The method includes the steps of receiving a request fora network connection from an application running on the client device;spawning a virtual machine adapted to virtualize network capabilities ofthe client device; selecting a routing protocol from among a pluralityof available routing protocols; determining a first node to communicatewith, said determination being informed by network information stored onthe client device; and communicating, using the selected routingprotocol, data of the application to the first node.

In a feature of this aspect of the invention, said selection of arouting protocol is informed by information associated with theapplication.

In a feature of this aspect of the invention, the method furtherincludes spawning another virtual machine adapted to virtualize networkcapabilities of the client device; selecting a second routing protocolfrom among a plurality of available routing protocols; determining asecond node to communicate with, said determination being informed bynetwork information stored on the client device; and communicating,using the selected second routing protocol, data of the application tothe second node.

In a feature of this aspect of the invention, the method furtherincludes, prior to said step of spawning another virtual machine, thestep of determining that the application requires another networkconnection.

In a feature of this aspect of the invention, the step of determiningthat the application requires another network connection comprisesdetermining whether a current network connection can meet performancerequirements of the application.

In a feature of this aspect of the invention, said step of communicatingcomprises transmitting packets of data.

In a feature of one or more aspect of the invention, said packets are IPpackets.

In a feature of this aspect of the invention, the method furtherincludes, prior to the step of receiving a request for a networkconnection, the steps of querying a network for the network information;and storing the network information in a computer readable medium.

In a feature of this aspect of the invention, the method furtherincludes, prior to the step of receiving a request for a networkconnection, the steps of querying a network for data relating to thenetwork, generating a routing table based on the data relating to thenetwork, and storing the routing table in a computer readable medium.The network information that informs said determining step comprisesinformation stored in the routing table.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes the Interior Gateway RoutingProtocol (IGRP).

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes the Enhanced Interior GatewayRouting Protocol (EIGRP).

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes the Border Gateway Protocol (BGP).

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes the Constrained Shortest Path First(CSPF) protocol.

In a feature of one or more aspects of the invention, the selectedrouting protocol is ported to run on a chip core.

In a feature of one or more aspects of the invention, the selectedrouting protocol is run on multiple cores.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes pro-active routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes reactive routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes flow oriented routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes adaptive routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes hybrid routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes hierarchical routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes geographical routing algorithms.

In a feature of one or more aspects of the invention, the plurality ofavailable routing protocols includes power aware routing algorithms.

Another network routing aspect of the present invention relates to amethod for providing information relating to a node along a networkpath. The method includes receiving, at a first node, a packettransmitted by a client device, the packet including a header and apayload; storing, at the first node, information from the packet in acomputer readable medium; appending, to the payload of the packet,information associated with the first node; determining a second node totransmit the packet to, said determination being informed by networkinformation stored on the first node; and transmitting the packet to thesecond node.

In a feature of this aspect of the invention, the information from thepacket includes information relating to a routing protocol, and whereinsaid transmitting step comprises transmitting the packet utilizing therouting protocol.

Another network routing aspect of the present invention relates to amethod of determining a path of a packet. The method includes receivinga packet including a header and a payload, the payload includinginformation appended to the payload by each of a plurality of nodes, theinformation appended to the payload by each of the plurality of nodesincluding information associated with the node that appended it; storingthe payload in a computer readable medium; and analyzing the informationappended to the payload by each of the plurality of nodes to determine apath of the packet.

In a feature of this aspect of the invention, the method furtherincludes determining whether the path of the packet satisfies previouslydefined connection requirements.

Another network routing aspect of the present invention relates to amethod of responding to a dropped connection. The method includestransmitting a packet to a first node using a first routing protocol forcommunication to a destination device; setting a predefined timer, thepredefined timer having a value corresponding to an amount of timegreater than an average response time of the destination device; andupon expiration of the predefined timer, automatically transmitting thepacket to a second node using a second routing protocol forcommunication to the destination device.

In a feature of this aspect of the invention, the first routing protocoland the second routing protocol are the same routing protocol.

In a feature of this aspect of the invention, the first node and thesecond node are the same node.

Another network routing aspect of the present invention relates to amethod of responding to a corrupted packet. The method includesreceiving a packet from a transmitting device at a first virtual machineof a destination device; determining whether the packet has beentampered with, said determination being informed by information from anapplication running on the client device; quarantining the packet;spawning a new virtual machine at the destination device; andcommunicating, using the new virtual machine, with the transmittingdevice.

In a feature of this aspect of the invention, said step of communicatingcomprises communicating using a routing protocol different from arouting protocol used to transmit the packet.

In a feature of this aspect of the invention, said step of communicatingcomprises communicating using a path different from a path used totransmit the packet.

In a feature of this aspect of the invention, the method furtherincludes shutting down the first virtual machine.

Another network routing aspect of the present invention relates to amethod of responding to a network attack. The method includescommunicating with a remote device through a first virtual machine of aclient device; detecting a network attack at the first virtual machineof the client device; spawning a second virtual machine at the clientdevice; and communicating with the remote device through the secondvirtual machine of the client device.

In a feature of this aspect of the invention, said step of communicatingthrough a first virtual machine comprises communicating via a path andsaid step of communicating through the second virtual machine comprisescommunicating via a different path.

In a feature of this aspect of the invention, said step of communicatingthrough a first virtual machine comprises communicating via a networkprotocol and said step of communicating through the second virtualmachine comprises communicating via a different network protocol.

In a feature of this aspect of the invention, the method furtherincludes shutting down the first virtual machine.

In a feature of this aspect of the invention, the method furtherincludes monitoring communications received through the first virtualmachine.

In a feature of this aspect of the invention, the method furtherincludes generating a third virtual machine; determining a source of thenetwork attack; and initiating a retaliatory network attack through thethird virtual machine against the source of the network attack.

Another network routing aspect of the present invention relates to amethod of routing data over a network at a client device usingvirtualization. The method includes detecting a request for a networkconnection from an application running on the client device;determining, from the application, application-specific informationassociated with the application; using the application-specificinformation, selecting a routing protocol from among a plurality ofavailable routing protocols; and using the selected routing protocol,transmitting data of the application from the client device over thenetwork.

Another network routing aspect of the present invention relates to amethod of routing data over a network at a client device usingvirtualization. The method includes the steps of detecting, at a virtualrouter on the client device, a request for a network connection from anapplication running on the client device; spawning, by the virtualrouter, a virtual machine adapted to virtualize network capabilities ofthe client device; selecting, by the virtual router, a routing protocolfrom among a plurality of available routing protocols; andcommunicating, using the selected routing protocol, data of theapplication to the first node.

Another network routing aspect of the present invention relates to amethod of routing data over a network at a client device usingvirtualization. The method includes the steps of detecting, at a virtualrouter on the client device, a request for a network connection from anapplication running on the client device; selecting, by the virtualrouter, a routing protocol from among a plurality of available routingprotocols; determining, by the virtual router, a first node tocommunicate with, said determination being informed by networkinformation stored on the client device; and using a virtual machine onthe client device, communicating, using the selected routing protocol,data of the application to the first node.

Another network routing aspect of the present invention relates to amethod of routing data over a network at a client device usingvirtualization. The method includes detecting, at a virtual router onthe client device, a request for a network connection from anapplication running on the client device; spawning, by the virtualrouter, a virtual machine adapted to virtualize network capabilities ofthe client device; selecting, by the virtual router, a routing protocolfrom among a plurality of available routing protocols; determining, bythe virtual router, a first node to communicate with according to theselected routing protocol; and, using a virtual machine on the clientdevice, communicating data of the application to the first node.

Another network routing aspect of the present invention relates to amethod of routing data over a network at client devices usingvirtualization. The method includes the steps of detecting, at a firstvirtual router on a first client device, a request for a networkconnection from an application running on the first client device;selecting, by the first virtual router, a routing protocol from among aplurality of available routing protocols; using a virtual machine on thefirst client device, transmitting, according to the routing protocolselected by the first virtual router, data of the first client deviceapplication from the first client device over the network; receiving thedata at a second client device; detecting, at a second virtual router onthe second client device, a request for a network connection from anapplication running on the second client device; selecting, by thesecond virtual router, a routing protocol from among a plurality ofavailable routing protocols; and using a virtual machine on the secondclient device, transmitting, according to the routing protocol selectedby the second virtual router, data of the second client deviceapplication from the second client device over the network.

In a feature of this aspect of the invention, the first routing protocolis different from the second routing protocol.

Another network routing aspect of the present invention relates to amethod of determining a routing path of a packet. The method includesreceiving, at a client device in a network, a packet including a headerand a payload, the payload including information appended to the payloadby at least one other node in the network, the information appended tothe payload by each of the at least one network node includinginformation associated with the node that appended it; analyzing, at avirtual router on the client device, the information appended to thepayload by each of the at least one network node; based at least partlyon the analyzed information, selecting, by the virtual router, a routingprotocol from among a plurality of available routing protocols; andtransmitting, according to the routing protocol selected by the virtualrouter, the packet over the network.

Another network routing aspect of the present invention relates to amethod of determining a routing path of a packet, comprising: receiving,at a client device in a network, a packet including a header and apayload, the payload including information appended to the payload by atleast one other node in the network, the information appended to thepayload by each of the at least one network node including informationassociated with the node that appended it; based at least partly oncontent of the payload, selecting, by a virtual router on the clientdevice, a routing protocol from among a plurality of available routingprotocols; appending additional information, including informationassociated with the client device, to the payload; and transmitting,according to the routing protocol selected by the virtual router, thepacket, included the appended payload, over the network.

Another network routing aspect of the present invention relates to avirtual dispersive routing software client stored in a computer readablemedium of a client device. The virtual dispersive routing softwareincludes a virtual machine manager (also referred to as a virtualmachine monitor), adapted to spawn virtual machines; a routing platformincluding software adapted to implement a plurality of routingprotocols; a controller adapted to intercept network requests intendedfor a network card; and an application interface adapted to communicateinformation relating to an application running on the client device tothe controller.

Another network routing aspect of the present invention relates to theapplication interface.

Another network routing aspect of the present invention relates to aspider comprising a connective link between an upper level and a lowerlevel of a protocol stack.

In a feature of one or more aspects of the present invention, thecomputer is a handheld mobile device.

In a feature of one or more aspects of the present invention, thecomputer is a mobile phone.

In a feature of one or more aspects of the present invention, theplurality of available routing protocols includes the Open Shortest PathFirst (OSPF) protocol.

In a feature of one or more aspects of the present invention, thenetwork is a wireless network.

In a feature of one or more aspects of the present invention, thenetwork is a Wi-Fi network.

Another network routing aspect of the present invention relates to amethod of utilizing information from one layer of a protocol stack toinform decisions at another layer of the protocol stack.

The method includes loading a spider configured to thread together anupper application layer and a lower layer of a protocol stack; receivinga packet at the lower layer; running a checksum on the packet; anddetermining whether a value returned from the checksum corresponds to avalue associated with the application layer.

Another network routing aspect of the present invention relates to amethod of utilizing a spider. The method includes loading a spiderconfigured to thread together a first layer and a second layer of aprotocol stack; and utilizing information associated with the firstlayer to inform a decision at the second layer.

Wirth regard to the aspects and features in network communications inaccordance with the present invention, reference is made to the claimsas filed in the incorporated '075 application, and in particular claims170-489, which claims are incorporated herein by reference.

BRIEF DESCRIPTION OF THE DRAWINGS

One or more preferred embodiments of the present invention now will bedescribed in detail with reference to the accompanying drawings.

FIG. 1 illustrates components of a VDR software client loaded onto aclient device in accordance with an embodiment of the present invention.

FIG. 2 illustrates an exemplary network in which a VDR client gathersLAN routing information and queries an external network for backboneinformation and application-specific routing information in accordancewith an embodiment of the present invention.

FIG. 3 illustrates the addition of data to the payload of a packet oneach of a plurality of hops in accordance with an embodiment of thepresent invention.

FIGS. 4A-C provide a simplified example of a VDR software response to anetwork attack in accordance with an embodiment of the presentinvention.

FIGS. 5 and 6A-B illustrate an exemplary VDR implementation inaccordance with a preferred embodiment of the present invention.

FIG. 7 includes Table 2, which table details data stored by a node inthe payload of a packet.

FIG. 8 illustrates a direct connection between two clients in accordancewith one or more preferred implementations.

FIG. 9A illustrates an exemplary process for direct transfer of a filefrom a first client to a second client in accordance with one or morepreferred implementations.

FIG. 9B illustrates an exemplary user interface for a Sharzing filetransfer application in accordance with one or more preferredimplementations.

FIG. 10 includes Table 3, which illustrates potential resource reductionin accordance with one or more preferred implementations.

FIG. 11 illustrates client and server architectures in accordance withone or more preferred implementations.

FIGS. 12 and 13 illustrate exemplary processes for downloading of a filein accordance with one or more preferred implementations.

DETAILED DESCRIPTION

As a preliminary matter, it will readily be understood by one havingordinary skill in the relevant art (“Ordinary Artisan”) that the presentinvention has broad utility and application. Furthermore, any embodimentdiscussed and identified as being “preferred” is considered to be partof a best mode contemplated for carrying out the present invention.Other embodiments also may be discussed for additional illustrativepurposes in providing a full and enabling disclosure of the presentinvention. Moreover, many embodiments, such as adaptations, variations,modifications, and equivalent arrangements, will be implicitly disclosedby the embodiments described herein and fall within the scope of thepresent invention.

Accordingly, while the present invention is described herein in detailin relation to one or more embodiments, it is to be understood that thisdisclosure is illustrative and exemplary of the present invention, andis made merely for the purposes of providing a full and enablingdisclosure of the present invention. The detailed disclosure herein ofone or more embodiments is not intended, nor is to be construed, tolimit the scope of patent protection afforded the present invention,which scope is to be defined by the claims and the equivalents thereof.It is not intended that the scope of patent protection afforded thepresent invention be defined by reading into any claim a limitationfound herein that does not explicitly appear in the claim itself.

Thus, for example, any sequence(s) and/or temporal order of steps ofvarious processes or methods that are described herein are illustrativeand not restrictive. Accordingly, it should be understood that, althoughsteps of various processes or methods may be shown and described asbeing in a sequence or temporal order, the steps of any such processesor methods are not limited to being carried out in any particularsequence or order, absent an indication otherwise. Indeed, the steps insuch processes or methods generally may be carried out in variousdifferent sequences and orders while still falling within the scope ofthe present invention. Accordingly, it is intended that the scope ofpatent protection afforded the present invention is to be defined by theappended claims rather than the description set forth herein.

Additionally, it is important to note that each term used herein refersto that which the Ordinary Artisan would understand such term to meanbased on the contextual use of such term herein. To the extent that themeaning of a term used herein—as understood by the Ordinary Artisanbased on the contextual use of such term—differs in any way from anyparticular dictionary definition of such term, it is intended that themeaning of the term as understood by the Ordinary Artisan shouldprevail.

Furthermore, it is important to note that, as used herein, “a” and “an”each generally denotes “at least one,” but does not exclude a pluralityunless the contextual use dictates otherwise. Thus, reference to “apicnic basket having an apple” describes “a picnic basket having atleast one apple” as well as “a picnic basket having apples.” Incontrast, reference to “a picnic basket having a single apple” describes“a picnic basket having only one apple.”

When used herein to join a list of items, “or” denotes “at least one ofthe items,” but does not exclude a plurality of items of the list. Thus,reference to “a picnic basket having cheese or crackers” describes “apicnic basket having cheese without crackers”, “a picnic basket havingcrackers without cheese”, and “a picnic basket having both cheese andcrackers.” Finally, when used herein to join a list of items, “and”denotes “all of the items of the list.” Thus, reference to “a picnicbasket having cheese and crackers” describes “a picnic basket havingcheese, wherein the picnic basket further has crackers,” as well asdescribes “a picnic basket having crackers, wherein the picnic basketfurther has cheese.”

Further, as used herein, the term server may be utilized to refer toboth a single server, or a plurality of servers working together.

Additionally, as used herein, “an open network connection” (alsoreferred to as a “direct connection”) generally means a network pathwayof router nodes that extends between two end-user devices whereby datais sent from one of the end-user devices to the other end-user devicewithout connecting to a server, or an equivalent pathway where the datathat is sent is neither stored nor forwarded by a server.

As used herein, a “client device” (sometimes simply referred to hereinas a “client”) is a device on which an application runs that utilizesnetwork communication. Furthermore, a client device is sometimesreferred to as an “end device”, “end-user device”, “end-client device”,or simply “destination device” as the application on the client deviceis the end recipient of a network communication in some scenarios. Theclient device also is sometimes referred to as a “mobile device” as theclient device may be portable in some scenarios, such as when the clientdevice comprises, for example, a mobile phone, a laptop computer, or anotebook computer.

A “transmitting device” is a device disposed in network communicationswith a client device, and itself may be a client device or a networkdevice, including a conventional, centrally located specialized routingdevice. Similarly, a “remote device” is a device with which a clientdevice communicates, and the remote device may be another client deviceor a network device.

A “computer” as used herein has a processor and is capable of running anapplication that utilizes network communication. The processor may havea single processing core or a plurality of processing cores. Examples ofa computer include a personal desktop; a laptop; a notebook; a mobilecommunications device; a handheld mobile device, such as a mobile phone;and a video game console. Furthermore, it is contemplated that acomputer may be a client device.

Finally, as used herein, a “network” is a communications network bywhich communications are sent, received, or both. A network maycomprise, for example, the Internet, an Intranet or an Extranet. Anetwork may utilize CDMA, WiMax, GSM, WCDMA, or other communicationtechnologies, and may include wired and wireless transmissions.

Referring now to the drawings, one or more preferred embodiments of thepresent invention are next described. The following description of oneor more preferred embodiments is merely exemplary in nature and is in noway intended to limit the invention, its implementations, or uses.

VDR

Virtual dispersive routing (hereinafter, “VDR”) relates generally toproviding routing capabilities at a plurality of client devices usingvirtualization. Whereas traditional routing calls for most, if not all,routing functionality to be carried out by centrally located specializedrouting devices, VDR enables dispersed client devices to assist with, oreven takeover, routing functionality, and thus is properly characterizedas dispersive. Advantageously, because routing is performed locally at aclient device, a routing protocol is selected by the client based uponconnection requirements of the local application initiating theconnection. A protocol can be selected for multiple such connections andmultiple routing protocols can even be utilized simultaneously. Thefragile nature of the routing protocols will be appreciated, and thusvirtualization is utilized together with the localization of routing toprovide a much more robust system. Consequently, such dispersive routingis properly characterized as virtual.

More specifically, preferred VDR implementations require that a VDRsoftware client be loaded on each client device to help control andoptimize network communications and performance. Preferably, VDR isimplemented exclusively as software and does not include any hardwarecomponents. Preferably, the basic components of a VDR software clientinclude a routing platform (hereinafter, “RP”); a virtual machinemonitor (hereinafter, “VMM”); a dispersive controller (hereinafter,“DC”); and an application interface (hereinafter, “Al”). FIG. 1illustrates each of these components loaded onto a client device. Eachof these components is now discussed in turn.

The Routing Platform (RP) and Multiple Routing Protocols

Despite eschewing the traditional routing model utilizing central pointsof control, VDR is designed to function with existing routing protocols.Supported routing protocols, together with software necessary for theiruse, are included in the routing platform component of the VDR software,which can be seen in FIG. 1. For example, the RP includes software toimplement and support the Interior Gateway Routing Protocol (“IGRP”),the Enhanced Interior Gateway Routing Protocol (“EIGRP”), the BorderGateway Protocol (“BGP”), the Open Shortest Path First (“OSPF”)protocol, and the Constrained Shortest Path First (“CSPF”) protocol. Itwill be appreciated that in at least some embodiments, a port will beneeded to allow conventional routing software to run on a chip core (forexample, a core of an Intel chip) at a client device. Preferably,multi-core components are used to allow routing protocols to be run onmultiple cores to improve overall performance.

Moreover, it will be appreciated that the ability to support multiplerouting protocols allows VDR to meet the needs of applications havingvarying mobility requirements. Applications can be supported by ad hocalgorithms such as pro-active (table driven) routing, reactive(on-demand) routing, flow oriented routing, adaptive (situation aware)routing, hybrid (pro-active/reactive) routing, hierarchical routing,geographical routing, and power aware routing. Further, the use ofmultiple protocols supports broadcasting, multi-casting, andsimul-casting. It will be appreciated that the use of multiple protocolsprovides support for multi-threaded networking as well.

The Virtual Machine Monitor (VMM) and Virtualization

It will be appreciated that virtualization is known in some computingcontexts, such as virtualization of memory and processing.Virtualization enables the abstraction of computer resources and canmake a single physical resource appear, and function, as multiplelogical resources. Traditionally, this capability enables developers toabstract development of an application so that it runs homogenouslyacross many hardware platforms. More generally, virtualization is gearedto hiding technical detail through encapsulation. This encapsulationprovides the mechanism to support complex networking and improvedsecurity that is required to enable routing at client devices.

More specifically, a virtual machine (hereinafter, “VM”) is a softwarecopy of a real machine interface. The purpose of running a VM is toprovide an environment that enables a computer to isolate and controlaccess to its services. The virtual machine monitor (VMM) component isused to run a plurality of VMs on a real machine and interface directlywith that real machine. As an example, consider a VMM on a real machinethat creates and runs a plurality of VMs. A different operating systemis then loaded onto each VM. Each VM provides a virtual interface thatwould appear to each operating system to be a real machine. The VMM runsthe plurality of VMs and interfaces with the real machine.

In a VDR implementation, a VMM is utilized to create a VM for eachdistinct connection, wherein each “connection” generally comprises atransfer of data in the form of packets from a first end device to asecond end device along a path (or route). It will be appreciated that asingle application can require multiple connections. For example, anapplication may require multiple connections because of bandwidthapplication requirements and performance requirements. In this eventeach connection preferably interfaces with its own VM, and eachconnection can utilize (sometimes referred to as being tied to) the samerouting protocol or different routing protocols, even though theconnections are themselves necessitated by the same application.Similarly, although two connections may at times travel along anidentical path, the connections themselves may nevertheless be distinct,and each will preferably still continue to interface with its own VM.

The Dispersive Controller (DC) and Optimizing Performance

When the client is in need of a new connection, a dispersive controllerlocated between an operating system and a driver that controls networkhardware (such as a NIC card) intercepts the request for a newconnection and tells the VMM to spawn a new VM associated with thedesired connection. The DC then queries the application interface andutilizes any information obtained to select a routing protocol fromamong those supported by the RP. This selected routing protocol,however, is currently believed to be generally useless without knowledgeof the surrounding network. To this end, the DC allows each client tofind other clients, interrogate network devices, and utilize systemresources. Thus, each VDR client is “network aware”, in that routinginformation is gathered and maintained at each client by the DC.

FIG. 2 illustrates a network in which a VDR client 201 gathers LANrouting information and queries an external network for backboneinformation and application-specific routing information. In response tothese queries, routing information is returned. This returned routinginformation is cached, processed, data mined, compared to historicaldata, and used to calculate performance metrics to gauge and determinethe overall effectiveness of the network. This is possible because theresources available at a VDR client will typically be greater than thoseavailable at a conventional router.

In at least some embodiments, a VDR network functions in some wayssimilarly to a conventional network. In a conventional network, data, inthe form of packets, is sent to a router to be routed according to arouting table maintained at the router. Similarly, in a VDR network,after utilizing gathered network information to generate a routingtable, a client device utilizes this generated routing table to select aroute and transmit a packet accordingly, which packet is then receivedby another client device and routed according to that client's routingtable, and so on, until the packet reaches its destination.

However, rather than simply passing on received packets from client toclient, in a manner akin to a traditional router, VDR, via the DC,instead takes advantage of the storage and processing resourcesavailable at each client, while still remaining compatible with existingnetwork architecture, by attaching lower level protocol data to thepayload of transmitted packets for subsequent client analysis.

More specifically, when a packet is received at a VDR client, a virtualmachine intercepts the packet passed from the networking hardware (forexample, a NIC card) and places it in memory. The VDR client thenprocesses the packet data. When the data is subsequently passed on, thisprocessed data is appended to the payload of the packet together withinformation relating to the VDR client for analysis at the destination.As can be seen in FIG. 3, the result of this process is that each hopcauses additional information to be added to the payload of a packet,and thus results in a direct increase in payload size proportionate tothe number of hops taken by the packet. Specifically, each hop isbelieved to result in an increase of 35 bytes for an IPv4implementation, and 59 bytes for an IPv6 implementation. Table 2 of FIG.7 details the information stored from each layer, along with the numberof bytes allotted for each field. It will be appreciated that differentor additional information could be stored in alternative embodiments.

Currently, 128-bit addressing provides support for IPv4 and IPv6addressing, but support for additional addressing schemes iscontemplated. It will be appreciated that for a typical communicationover the Internet, i.e., one consisting of around 20 hops, the overheadappended to the payload will be around 700 bytes utilizing IPv4 andaround 1180 bytes utilizing IPv6. It is believed that, in a worst casescenario, an extra IP datagram could be required for every datagramsent. Although some of this data may seem redundant at first blush, somerepetition is tolerable and even necessary because network addresstranslation (“NAT”) can change source or destination fields. That beingsaid, it is contemplated that some implementations use caching to lowerthis overhead. Additionally, in at least some implementations, the VDRclient utilizes application specific knowledge to tailor the informationthat is appended to the needs of a specific application.

Conventionally, when a packet is received at a router, routinginformation is typically stripped off each packet by the router anddisregarded. This is because each router has limited memory and handlesan enormous number of packets. When a packet is received at adestination VDR client, however, the destination client has sufficientresources to store and process the information delivered to it.Additionally, to the extent that client resources may be taxed, the VDRclient need not always store this information in every packet received,as in at least some embodiments application knowledge provides theclient with an understanding of which packets are important toapplications running on the client. Regardless of whether some or all ofthis information delivered in the payload of each data packet isprocessed, the information that is processed is analyzed to create a“network fingerprint” of the nodes involved in the communication link.Thus, VDR software loaded on nodes along a path enables the nodes toappend information regarding a path of a packet, which in turn enablesthe generation of a network fingerprint at the destination device, whichnetwork fingerprint represents a historical record that is stored andmaintained for later forensic analysis. In addition to forensic analysisby the client, the maintenance of network information on the clientenables forensic analysis by a server as well.

The Application Interface (AI) & Application Knowledge

One of the benefits of providing routing functionality at a clientdevice is that the client is able to utilize its knowledge of theapplication initiating a connection to enhance routing performance forthat application. This knowledge is provided to the DC via anapplication interface, as can be seen in FIG. 1. Utilizing applicationknowledge to enhance routing performance could be useful to a variety ofapplications, such, as for example, computer games including massivelymultiplayer online role playing games.

The virtualization of routing functionality at a client device, asdescribed hereinabove, allows multiple routing protocols and algorithmsto be run simultaneously on a client device. Thus, the DC utilizes theapplication interface to obtain required criteria for an applicationconnection and then chooses from among the protocols and algorithmsavailable via the RP.

For example, Application “A” may need to communicate very large amountsof data, and thus require a routing protocol that optimizes bandwidth,while Application “B” may only need to communicate very small amounts ofdata at very fast speeds, and thus require a routing protocol thatminimizes latency irrespective of bandwidth. A traditional router cannottell the difference between packets originating from Application “A” andthose originating from Application “B”, and thus will utilize the samerouting protocol for packets from each application. A VDR client,however, is aware of applications running locally, and thus can beaware, through the AI, of various connection criteria for eachapplication. These connection criteria can then be utilized by the VDRclient in selecting a routing protocol or algorithm. Furthermore, asdescribed hereinabove, both the selected routing protocol and theoriginating application associated with a packet can be communicated toother client nodes via data appended to the payload of the packet. Thus,the protocol selected at a source client can be utilized to route thepacket throughout its path to a destination client. Further, becausevirtualization allows multiple routing protocols to be run on a singleclient, each application can utilize its own routing protocol.

Moreover, a VDR client can utilize knowledge of the path of a specificconnection to further optimize performance. Because a networkfingerprint can be gathered detailing the nodes in a communication path,a VDR client running on a client device can analyze each networkfingerprint to determine whether the associated connection satisfies theconnection criteria of the application desiring to utilize theconnection. If the connection does not satisfy the connection criteria,then the client can attempt to find a connection that does satisfy thecriteria by switching to a different protocol and/or switching to adifferent first node in its routing table. Combinations utilizingvarious protocols and selecting a variety of first nodes can beattempted, and the resultant paths evaluated until a path is found thatdoes satisfy connection criteria. Additionally, combinations utilizingvarious protocols and selecting a variety of first nodes can be utilizedto create route redundancy. Such route redundancy can provide to anapplication both higher bandwidth and controllable quality of service.

Although connection criteria for source and destination clients willoften be identical, there are many situations where this will not be thecase. For example, if one client is downloading streaming video fromanother client, then the connection requirements for each client willlikely not be identical. In this and other situations, connectionsbetween two clients may be asymmetrical, i.e., client “A” transmitspackets to client “B” over path 1, but client “B” transmits packets toclient “A” over path 2. In each case, because path information gleanedfrom the payload of packets is stored and processed at the destinationclient, the evaluation of whether the path meets the required connectioncriteria is made at the destination client. In the example above, client“B” would determine whether path 1 satisfies its application'sconnection criteria, while client “A” would determine whether path 2satisfies its application's connection criteria.

Perhaps the epitome of a connection that does not satisfy connectioncriteria is a broken, or failed, connection. In the event of aconnection break, VDR enjoys a significant advantage over moretraditional routing. Conventionally, recognition of a connection breakwould require a timeout at an upper level application, with either thepath being re-routed subsequent to the timeout or a connection failuremessage being presented to a user. A VDR client, however, is aware ofgenerally how long it should take to receive a response to a transmittedcommunication, and can utilize this awareness to speed up routeconvergence for additional network connections to insure applicationrobustness and performance requirements, performance requirements beingdefined as criteria that must be met to allow the application to runproperly, i.e., video conferencing can't wait too long for packets toshow up or else the audio “crackles” and the image “freezes.” Forexample, a VDR client may be aware that it should receive a response toa communication in 500 ms. If a response has not been received after 500ms, the VDR client can initiate a new connection utilizing a differentrouting protocol and/or first node as outlined above with respect tofinding a satisfactory connection path.

In addition to performance optimization, application knowledge can alsobe utilized to enhance network security. For example, an application mayhave certain security requirements. A VDR client aware of theserequirements can create a “trusted network” connection that can be usedto transfer information securely over this connection in accordance withthe requirements of the application. A more traditional routing schemecould not ensure such a trusted connection, as it could notdifferentiate between packets needing this secure connection and otherpackets to be routed in a conventional manner.

But before elaborating on security measures that may be built in to aVDR implementation, it is worth noting that a VDR client is able to workin concert with an existing client firewall to protect software andhardware resources. It will be appreciated that conventional firewallsprotect the flow of data into and out of a client and defend againsthacking and data corruption. Preferably, VDR software interfaces withany existing client firewall for ease of integration with existingsystems, but it is contemplated that in some implementations VDRsoftware can include its own firewall. In either implementation, the VDRsoftware can interface with the firewall to open and close ports asnecessary, thereby controlling the flow of data in and out.

In addition to this firewall security, by utilizing applicationknowledge the VDR software can filter and control packets relative toapplications running on the client. Thus, packets are checked not onlyto ensure a correct destination address, but further are checked toensure that they belong to a valid client application.

One way VDR software can accomplish this is by utilizing “spiders” tothread together different layers of the protocol stack to enable datacommunication, thereby reducing delays and taking advantage of networktopologies. Each spider represents software that is used to analyze datafrom different layers of the software stack and make decisions. Thesethreaded connections can be used to speed data transfer in staticconfigurations and modify data transfer in dynamic circumstances. As anexample, consider a client device running a secure email applicationwhich includes a security identification code. Packets for thisapplication include a checksum that when run will come up with thisidentification code. A spider would allow this upper level applicationsecurity identification code to be connected to the lower layer. Thus,the lower layer could run a checksum on incoming packets and discardthose that do not produce the identification code. It will beappreciated that a more complex MD5 hash algorithm could be utilized aswell.

Moreover, because the VDR software is knowledgeable of the applicationrequiring a particular connection, the software can adaptively learn andidentify atypical behavior from an outside network and react byquarantining an incoming data stream until it can be verified. Thisability to match incoming data against application needs and isolate anypotential security issues significantly undermines the ability of ahacker to gain access to client resources.

Additionally, when such a security issue is identified, a VDR client cantake appropriate steps to ensure that it does not compromise thenetwork. Because a VDR client is network aware and keeps track of otherclients that it has been communicating with, when a security issue isidentified, the VDR client can not only isolate the suspect connection,the VDR client can further initiate a new connection utilizing adifferent routing protocol and/or first node as outlined above withrespect to finding a satisfactory connection path. Alternatively, oradditionally, the VDR client could simply choose to switch protocols onthe fly and communicate this switch to each client with which it is incommunication.

FIGS. 4A-C provide a simplified example of such action for illustrativeeffect. In FIG. 4A, VDR client 403 is communicating with VDR client 405over connection 440. In FIG. 4B, external computer 411 tries to alterpacket 491 transmitted from client 403 to client 405. Client 405 runs ahashing algorithm on the received packet 491 and identifies that it hasbeen corrupted. Client 405 then quarantines packets received viaconnection 440 and, as can be seen in FIG. 4C, establishes a newconnection 450 with client 403.

Upon discovery of an “attack” on a network or specific networkconnection, a VDR client can monitor the attack, defend against theattack, and/or attack the “hacker”. Almost certainly, a new, secureconnection will be established as described above. However, afterestablishing a new connection, the VDR client can then choose to simplykill the old connection, or, alternatively, leave the old connection upso that the attacker will continue to think the attack has some chanceof success. Because each connection is virtualized, as describedhereinabove, a successful attack on any single connection will not spillover and compromise the client as a whole, as crashing the VM associatedwith a single connection would not affect other VMs or the client deviceitself. It is contemplated that a VDR client will attempt to trace backthe attack and attack the original attacker, or alternatively, andpreferably, communicate its situation to another VDR client configuredto do so.

An Exemplary Implementation

Traditionally, wired and wireless networks have tended to be separateand distinct. Recently, however, these types of networks have begun tomerge, with the result being that the routing of data around networkshas become much more complex. Further, users utilizing such a mergednetwork desire a high level of performance from the network regardlessof whether they are connected wirelessly or are connected via a fixedline. As discussed hereinabove, VDR enables a client to monitor routinginformation and choose an appropriate routing protocol to achieve thedesired performance while still remaining compatible with existingnetwork architecture. VDR can be implemented with wired networks,wireless networks (including, for example, Wi-Fi), and networks havingboth wired and wireless portions.

FIG. 5 illustrates an exemplary local area network 510 (hereinafter,“LAN”) utilizing VDR. The LAN 510 includes three internal nodes511,513,515, each having VDR software loaded onto a client of therespective node. The internal nodes 511,513,515 can communicate with oneanother, and further can communicate with edge nodes 512,514,516,518,each also having VDR software loaded onto a client of the respectivenode. The coverage area 519 of the LAN 510 is represented by a dottedcircle. It will be appreciated that the edge nodes 512,514,516,518 arelocated at the periphery of the coverage area 519. The primarydistinction between the internal nodes 511,513,515 and the edge nodes512,514,516,518 is that the internal nodes 511,513,515 are adapted onlyto communicate over the LAN 510, while the edge nodes 512,514,516,518are adapted to communicate both with the internal nodes 511,513,515 andwith edge nodes of other LANs through one or more wide area networks(hereinafter, “WANs”). As one of the nodes 511,513,515 moves within theLAN 510 (or, if properly adapted, moves to another LAN or WAN), VDRallows it to shift to ad hoc, interior, and exterior protocols. Thisability to shift protocols allows the node to select a protocol whichwill provide the best performance for a specific application.

FIG. 6A illustrates an exemplary path between node 513 in LAN 510 andnode 533 in LAN 530. It will be appreciated that an “interior” protocolis utilized for communications inside each LAN, and an “exterior”protocol is utilized for communications between edge nodes of differentLANs. Thus, it will likewise be appreciated that each edge node mustutilize multiple protocols, an interior protocol to communicate withinterior nodes, and an exterior protocol to communicate with other edgenodes of different LANs. Further, at any time an ad hoc protocol couldbe set up which is neither a standard interior nor exterior protocol.

In FIG. 6A, LAN 510 and LAN 530 are both using CSPF as an interiorprotocol, while LAN 520 utilizes EIGRP as an interior protocol. All edgenodes of each of the LANs 510,520,530 are connected to a WAN utilizingBGP to communicate between edge nodes.

The exemplary path between node 513 and node 533 includes node 515, edgenode 518, edge node 522, node 521, node 523, node 525, edge node 528,edge node 534, and node 531. Further, because a particular protocol wasnot selected and propagated by the transmitting node, this connectionutilizes CSPF for internal communications within LAN 510 and LAN 530,EIGRP for internal communications within LAN 520, and BGP for externalcommunications between edge nodes. At one or both end nodes, the VDRsoftware can analyze this information and determine whether thecombination of protocols along this path is satisfactory for thecommunicating application. It will be appreciated that the VDR softwarecan further analyze the information gathered and determine whether thepath meets application requirements for throughput, timing, security,and other important criteria.

In a static environment, this path may represent a connection that meetsapplication requirements and thus no further adjustment would be needed.However, if a network outage were to occur, a network or a node were tomove, or another dynamic event was to occur, the path could need to bealtered.

For example, if LAN 520 were to move out of range, node 533 mightanalyze the path information appended to a packet received after themovement and determine that increased latency resulting from thismovement rendered this path unsuitable per application requirements.Node 533 would then attempt to establish a new connection utilizing adifferent route that would satisfy application requirements. FIG. 6Billustrates such a new connection, which remains between node 513 andnode 533, but rather than being routed through LAN 520 as with the pathillustrated in FIG. 6A, the path is instead routed through LAN 540.

It will be appreciated that the ability to influence path selectionbased on client application needs significantly enhances theperformance, flexibility, and security of the network.

It will further be appreciated from the above description that one ormore aspects of the present invention are contemplated for use with end,client, or end-client devices. A personal or laptop computer areexamples of such a device, but a mobile communications device, such as amobile phone, or a video game console are also examples of such adevice. Still further, it will be appreciated that one or more aspectsof the present invention are contemplated for use with financialtransactions, as the increased security that can be provided by VDR isadvantageous to these transactions.

Network Data Transfer

It will be appreciated that the transmission of data over the Internet,or one or more similar networks, often utilizes precious serverprocessing, memory, and bandwidth, as the data is often delivered from,or processed at, a server. In implementations in accordance with one ormore preferred embodiments of the present invention, some of this serverload is mitigated by use of a direct connection between two end-userdevices, such as, for example two end-user devices having virtualizedrouting capabilities as described hereinabove. Preferably, packets arethen routed between the two end-user devices without passing through aconventional server.

Notably, however, although transferred data packets do not pass througha server, a server may still be utilized to establish, monitor, andcontrol a connection, as illustrated in FIG. 8. Specifically, FIG. 8illustrates two clients and an IP server which determines that theclients are authorized to communicate with one another, and which passesconnection information to the clients that is utilized to establish adirect connection between the clients. Importantly, the IP server is notinvolved in this direct connection, i.e. data transferred via thisdirect connection is not routed through or processed by the IP server,which would require the use of additional resources of the IP server.

It will be appreciated that, in some networks, a firewall may be setupto prevent an end-user device from accepting connections from incomingrequests. There are three basic scenarios that can occur. In a firstcase, there is no firewall obstruction. In the first case, either clientcan initiate the connection for the direct connect. In a second case, asingle client has a firewall obstructing the connection. In this case,the client that is obstructed from accepting the connection isinstructed by the IP Server to initiate the connection to the clientthat is unobstructed by the firewall. In a third case, both clients havefirewalls obstructing the connection. In this case, a software router,or software switch, is used to accept the connection of the two clientsand pass the packets through to the clients directly. Notably, thissoftware router truly acts as a switch, and does not modify the payloadas it passes the packet through. In a preferred implementation, asoftware router is implemented utilizing field programmable gate arrays(FPGAs) or other specific hardware designed to implement suchcross-connect functionality.

A preferred system for such a described direct connection includes oneor more end-user devices having client software loaded thereon, an IPserver, or control server, having server software loaded thereon, andone or more networks (such as, for example Internet, Intranet orExtranet supported by Ethernet, Mobile Phone data networks, e.g. CDMA,WiMAX, GSM, WCDMA and others, wireless networks, e.g. Bluetooth, WiFi,and other wireless data networks) for communication.

In a preferred implementation, client software installed at an end-userdevice is configured to communicate with an IP server, which associates,for example in a database, the IP address of the end-user device with aunique identification of a user, such as an email address, telephonenumber, or other unique identification. The client then periodically“checks in” with the IP server and conveys its IP address to the server,for example by providing its IP address together with the uniqueidentification of the user. This checking in occurs when the client is“turned on”, e.g. when the end-user device is turned on or when theclient software is loaded, as well as when the IP address has changed,or upon the occurrence of any other network event that would change thepath between the client and server, or in accordance with otherconfigured or determined events, times, or timelines, which may beuser-configurable.

By collecting, and updating, the current IP address of a user, otherusers may communicate with that user as the user moves from place toplace. The IP server thus acts as a registry providing updated IPaddresses associated with users. This capability also enables multipledevice delivery of content to multiple end-user devices a userdesignates or owns.

Preferably, such functionality is utilized in combination withvirtualized routing capability as described hereinabove. Specifically,it will be appreciated that, currently, Internet communications utilizesessions, and that upon being dropped, e.g. due to a lost connection, anew session must be initialized.

In a preferred implementation, however, rather than having tore-initiate a new session, for example upon obtaining a new IP address,a new session is created and data is transferred from the old session tothe new session while maintaining the state of the old session. In thisway, a near-seamless transition is presented to a user between an oldsession and a new session. For example, a user might be connected viatheir mobile device to a Wi-Fi connection while they are on the move.They might move out of range of the Wi-Fi connection, but still be inrange of a cellular connection. Rather than simply dropping theirsession, a new session is preferably created, and data from the oldsession copied over, together with the state of the old session. In thisway, although the end-user device is now connected via a cellularconnection, rather than via a Wi-Fi connection, the user's experiencewas not interrupted.

One Client to One Client—File Transfer Implementation

In a preferred implementation, direct connections between end-userdevices having virtualized routing capabilities are utilized in a filetransfer context, such as, for example, with a file sharing application.

FIG. 9A illustrates an exemplary file transfer use scenario between twoclients. As described above, each client is in communication with an IPserver, for example to communicate its IP address to the IP server. Suchcommunications are exemplified by steps 1010 and 1020.

In use, a first client communicates to an IP server a request to connectto a particular client, user, or end-user device at step 1030. The IPserver, or control server, determines whether or not the other client,user, or end-user device is available, e.g. online, and, if so, looks upthe current IP address or other addresses associated with the specifiedclient, user, or end-user device. If the client, user, or end-userdevice is either not online or has left the network, a connectionfailure message is sent. If the client, user, or end-user device isonline, the IP server will take action based upon a pre-selectedpreference setting. Preferably, each user may choose to acceptconnection requests automatically, require a confirmation of acceptance,or require some other authentication information, such as anauthentication certificate, in order to accept a connection request. Ifthe connection request is accepted, either automatically or manually,the IP server enables the transfer, e.g. by communicating to a secondclient that the first client has a file for transfer, as exemplified bystep 1040.

Preferably, the IP server notifies each client involved in the transferof required security levels and protocols, such as, for example, hashingalgorithms used to confirm that received packets have not been altered.The IP server also insures that the client software at each end-userdevice has not been tampered, altered, or hacked.

The clients complete a messaging “handshake”, and then begin transfer ofa file. More specifically, the second client requests a connection withthe first client at step 1050, the first client notifies the IP serverof its status, e.g. that it is beginning a transfer, at step 1060, thefirst client grants the second client's request at step 1070, and thesecond client notifies the IP server of its status, e.g. that itsconnection request was accepted, at step 1080. The file transfer beginsat step 1090.

Periodically, both clients will update the server on the status of thedownload, as illustrated by exemplary steps 1100 and 1110. The serverwill keep track of the file transfer and compare the informationreceived from both clients for completeness and security. Once the filetransfer is completed, at step 1120, a status of each client is sent tothe IP server at steps 1130 and 1140, and the connection is terminatedat step 1150. The clients continue to update their availability with theIP server for future downloads, as illustrated by exemplary steps 1160and 1170.

It will be appreciated that because one of the problems with the TCP/IPprotocol is that significant timing delays can occur betweencommunications, using a virtual machine advantageously allows messagesto be sent at the lowest levels of the stack between virtual machines ofdifferent clients, thus helping insure that communications are notdelayed. Further, the inclusion of local routing capabilities enableseach client to setup another communication link, if needed, for exampleto continue a stalled download. Further still, as preferably bothclients include such routing capability, either client can reinitiate aseparate communication to the other client, thus helping insure thatTCP/IP packet delay timeouts do not draw out the communication.

Additionally, to facilitate more robust transfers, one of the clientscan instruct the other to open other TCP/IP connections independent ofthe server link. For example, a first client may receive an IP addressfor a second client via the IP server, and the second client could thencommunicate additional IP addresses to the first client and communicateduplicate packets via connections established with these additional IPaddresses, thus increasing the reliability of the link. Additionally,the client could send multiple packets over separate IP addresses toinsure a different starting point for transmission, and thus insureunique paths. It will be appreciated that this might advantageouslyallow for the continuing transfer of packets even if one of theconnection paths fails. Notably, each path is closed upon completion ofthe transmission.

FIG. 9B illustrates a user interface for an exemplary file sharingapplication in accordance with a preferred implementation. To initiate atransfer, a user clicks on an application icon to open the user'sFriend's List and a “Sharzing” window. Bold texted names identifyon-line contacts, while grey texted names indicate off-line contacts.When the blades of the graphical connection representation on the rightside of the window, i.e. the Sharzing, are shut, the Sharzing isinactive. Clicking on an on-line contact opens the blades andestablishes a Sharzing connection. The user may then “drag and drop” afile onto the open Sharzing.

Once a Sharzing connection is established, multiple files can betransferred in either direction. Further, multiple Sharzings can beopened simultaneously to different users. Preferably, when a Sharzing isconnected, wallpaper of the opposite PC that is being connected to isdisplayed. As a file is “dragged and dropped” on the Sharzing, theSharzing displays the progress of the file transfer. Using a a Sharzingskin, a Sharzing depiction can take on identities such as, for example,a futuristic StarGate motif. In the case where such a StarGate motif isused, flash wormhole turbulence may begin when a file is placed in theSharzing, and, subsequently, an opening at the end of the wormhole mayemerge to display an image of the file and/or the recipient's desktopwallpaper. Preferably, when the transferred file is visible on thedestination desktop, the transfer is complete.

Many Clients to Many Clients—Video and Audio Conferencing Implementation

In another preferred implementation, direct connections between end-userdevices having virtualized routing capabilities are utilized in atelecommunications context, such as, for example, in an audio and videoconferencing application.

It will be appreciated that in traditional audio and video conferencingapplications, one or more conventional servers act to collate andprocess audio and video streams from a plurality of clients, and thendistribute the processed audio and video streams to the clients. By wayof contrast, in a preferred implementation, an end-user device caninstead establish a direct connection with another end-user device, andcommunicate audio and video directly to the other end-user device,rather than communicating through a conventional server. In suchimplementations, this transmitted audio and video can be directlyprocessed by either a communicating end-user device, a receivingend-user device, or both, rather than by a conventional server.

As described above, via the use of virtualization, a first end-userdevice can establish a direct connection with not just one otherend-user device, but with multiple other end-user devices. The firstend-user device provides each other end-user device with its video andaudio stream, thus effectively acting as a server by “serving” its videoand audio stream to each other end-user device. Each of the otherend-user devices involved in a video conference will receive such videoand audio streams served by this first end-user device; however, eachother end-user device will additionally serve its own video and audiostreams. Thus, each end-user device can be characterized as functioningas both a server and a client, possibly at the same time, i.e. as amultiplexed client/server.

Notably, however, although the end-user devices assume somefunctionality more traditionally assumed by a conventional server invideo conferencing applications, a control server is preferably stillused to oversee the establishment and maintenance of connections betweenend-user devices. Unlike in a traditional implementation, however, it ispreferred that little to no audio or video processing is handled at thiscontrol server, and that the audio and video streams between end-userdevices are not routed through the control server.

Instead, the control server primarily provides authentication andsecurity functionality. Preferably, the control server keeps track of aunique identification of each end-user device, software loaded on eachend-user device, and an IP address of each end-user device.Additionally, the control server preferably controls which end-userdevices can communicate, and at what times they may communicate. Forexample, the control server preferably provides functionality allowing amoderator to “talk” over every other user at any given time.

Each end-user device preferably continually provides information to thecontrol server, including: a status of the end-user device, whether theend-user device is receiving audio, whether the end-user device has lostits connection, an application status, application data, whethersoftware at the end-user device has been tampered with, a rate of one ormore communication links, and a packet error rate of one or morecommunication links.

Use with Conventional Servers—Media Server Implementation

In some preferred implementations, direct connections between end-userdevices having virtualized routing capabilities are utilized incombination with one or more conventional file servers, such as, forexample, in a media server application. Specifically, it will beappreciated that the conventional downloading of data, such as a videofile, from a server is an intensive process that utilizes preciousserver processing, memory, and bandwidth. In preferred implementations,some of the strain of this process is offloaded from such a conventionalserver to one or more end-user devices having virtualized routingcapabilities. This architecture decreases the processing, memoryrequirements and bandwidth loads on a media server. Table 3 of FIG. 10shows the relationship for a media file that is being downloaded from aserver when some of the strain of multiple download requests istransferred off of the media server in accordance with such preferredimplementations.

In a preferred implementation, a plurality of end-user devices compriseVDR clients, and a control server comprises a VDR server, eachrespectively including the architecture illustrated in FIG. 11.

FIG. 12 illustrates an exemplary process for downloading media contentto two VDR clients that was originally stored on a customer videoserver, i.e. a media server. Notably, the process involves not just thetwo VDR clients and the media server, but also a VDR server as well.

The process begins when the first VDR client requests download of mediacontent from the media server at step 1210, followed by a correspondingTCP/IP handshake at step 1215. Subsequently, the media server alerts theVDR server of the download at step 1220. The VDR records the activity ofthe first VDR client along with necessary identification and contactinformation for the first VDR client. The media server follows thetypical download procedure and begins the download to the first VDRclient at step 1225.

Thereafter, a second VDR client requests the same media content from themedia server at step 1230, followed by a corresponding TCP/IP handshakeat step 1235. At step 1240, the media server alerts the VDR server tothe download request by the second VDR client. The VDR server determinesthat a VDR client is active, gathers addressing information for thesecond VDR client, and notifies the media server that it will handle thedownload at step 1245. Notably, a VDR client is active as long as itsconnection is active. It will be appreciated that several methodologiesmay be used to determine how long a client stays active. In at leastsome implementations, a client is shut down, i.e. rendered inactive,immediately after a file is transferred, which may represent the mostefficient use of resources. In a preferred implementation, a timer isutilized, and the client remains active a user-specified number ofminutes following activity. Alternatively, a client's connection couldbe left open until the user wants to close it, or until a networktimeout occurs.

At step 1250, the VDR server communicates to the first VDR client andconfigures it for download capability to the second VDR client, e.g.using the obtained addressing information for the second VDR client. Thesecond VDR client initiates communication with the first VDR client fordownload of the media content from the first VDR client at step 1260,followed by a corresponding TCP/IP handshake at step 1265, and thedownload then begins at step 1270.

Notably, the first VDR client, like most clients, has bandwidthavailable on the uplink when downloading content. It is believed that atypical personal computer, as of the filing date of this application,can handle 3-5 uploads without significant burdening or performancedegradation.

Communication between the first and second VDR clients is accomplishedbetween “Thin Virtual Machines” (TVM) of each VDR client. Each TVM ischaracterized as a “thin” virtual machine, as each preferably generallyincludes only functionality necessary to support virtualized networking,and, preferably, optimizes the resources needed to support thevirtualization of the Network Interface Card (NIC). As will beappreciated from the description hereinabove, each TVM enables eachapplication to have a separate virtual interface to the NIC. Thisfunctionality enables customized security capabilities that can be addedto each application interface individually.

At steps 1280 and 1285, the VDR clients convey status information, e.g.concerning the download, to the VDR server. At step 1290, the first VDRclient completes its download of the media content from the mediaserver. The first VDR client continues the download to the second VDRclient, however. While the download continues, status information issent to the VDR server from each VDR client as exemplified by step 1300.Further, the first and second VDR clients continue to communicate viathe virtual machine interface to detect connection issues and reroutepackets.

The download continues at step 1310. At step 1320, the second VDR clientcompletes its download, and each VDR client notifies the server of suchsuccess, as exemplified by step 1330. The VDR server, in turn, notifiesthe media server that the download to the second VDR client wascompleted successfully at step 1340.

If, instead of being completed successfully, the second VDR client'sdownload of the media content had not completed, the second VDR clientwould have contacted the VDR server for another download opportunity.

FIG. 13 illustrates another exemplary process where, rather thandownloading media content from one other VDR client, media content isdownloaded from a plurality of VDR clients, thus increasing the speed ofdownload.

More specifically, a media file is broken into fragments, and eachfragment is downloaded to a target VDR client from a different sourceVDR client using a different connection. In FIG. 13, the process beginswhen, at step 1410, a first VDR client communicates a download requestto a media server, followed by a corresponding TCP/IP handshake at step1415. At step 1420, the media server alerts the VDR server that adownload has been requested. The VDR server determines that multiple VDRclients are available to download the requested media content from, and,at step 1430, the VDR server informs the media server that it willhandle the download request. At steps 1440, 1450, and 1460,respectively, the VDR server communicates to second, third, and fourthVDR clients and passes addressing information corresponding to the firstVDR client to each. The VDR server assigns each VDR client the portionof the media content that that VDR client will download to the first VDRclient.

The first VDR client then downloads, at steps 1445, 1455, and 1465respectively, the assigned portions of the media content from each ofthe other VDR clients. As exemplified by illustration of steps 1470,1472, 1474 and 1476, each VDR client reports to the VDR server statusinformation on any downloads it is a part of, to insure each download isprogressing as planned. If a connection is lost, the VDR server can actto correct the problem. Once the first VDR client has completed thedownload of the media content, it communicates such completion to theVDR server and each other VDR client, as exemplified by illustration ofstep 1480. Subsequently, the VDR server notifies the media server thatthe download was completed at step 1490.

MMORPG Implementation

In another preferred implementation, direct connections between end-userdevices having virtualized routing capabilities are utilized in a gamingcontext, such as, for example, in a massively multiplayer online roleplaying game application.

It will be appreciated that traditional MMORPGs handle the majority ofprocessing for a game world at conventional servers. In a preferredimplementation, some of this processing work is offloaded to end-userdevices having virtualized routing capabilities. For example, eachend-user device preferably functions as a server for serving an avatarassociated with a user to other end-user devices whose users aredisposed, in the game world, in close proximity. In this way, theprocessing associated with such avatars is largely offloaded from theserver.

This offloading, and other similar offloading, reduces the resourcesrequired by an MMORPG server. Notably, however, although the end-userdevices assume some functionality more traditionally assumed by aconventional server in MMORPG applications, a control server ispreferably still used to oversee the establishment and monitorconnections between end-user devices.

The control server preferably provides authentication and securityfunctionality. Preferably, the control server keeps track of a uniqueidentification of each end-user device, software loaded on each end-userdevice, and an IP address of each end-user device. Additionally, thecontrol server preferably controls what actions each client can take.

Each end-user device preferably continually provides information to thecontrol server, including: a status of the end-user device, whether theend-user device has lost its connection, an application status,application data, whether software at the end-user device has beentampered with, a rate of one or more communication links, a packet errorrate of one or more communication links, a game state, a characterstate, and coordinates of the character's location in the game world.

It will be appreciated that voice conferencing can be an important partof the massive multiplayer experience, and, in accordance with one ormore preferred embodiments, functionality and implementation similar tothat outlined in an audio conferencing context is utilized in amassively multiplayer gaming context as well.

Notably, in such implementations, a client both receives informationfrom other clients, for example in the form of avatar information, andadditionally receives information from a content server, which may alsocomprise control server functionality.

Security

Preferably, in secure implementations, clients at end-user devices arealerted by a control server of an impending transfer and utilize asecure protocol such as public key encryption, AES (Advanced EncryptionStandard), or SSL (Secure Socket Layer). Packets to be transferred arepreferably intercepted by a virtual machine of a first client, prior tobeing sent to the network interface of that client, and encrypted.Following receipt, the packets coming out of the network interface arethen intercepted by a virtual machine of the other client and decrypted.

Preferably, strong security is achieved by employing a single encryptionkey that is passed between the two end-user devices controlled at layer2 and 3 of the OSI (Open Source Interface) stack model. Regardless ofwhether the file is transported via Ethernet, WiFi, mobile phone datanetworks, or other wired or wireless technologies, the file is protectedsince it is decrypted at the router level of the destination before thedata is passed to the application.

Lastly, although systems, methods, and apparatus are described hereinlargely in the context of end-user devices having virtualized routingcapabilities, it will be appreciated that at least some implementationsmay be practiced in the absence of such virtualized routingcapabilities.

Notably, virtualized routing capabilities, such as, for example, thosepresented by a VDR client, may be advantageous even in communicatingwith a client that does not enjoy such capabilities, e.g. a non-VDRclient. In a preferred method, a VDR client in communication with anon-VDR client searches incoming packets for viruses or other anomalies,and, if such other anomalies are found, the VDR client can break offcommunications and re-establish a new connection.

Based on the foregoing description, it will be readily understood bythose persons skilled in the art that the present invention issusceptible of broad utility and application. Many embodiments andadaptations of the present invention other than those specificallydescribed herein, as well as many variations, modifications, andequivalent arrangements, will be apparent from or reasonably suggestedby the present invention and the foregoing descriptions thereof, withoutdeparting from the substance or scope of the present invention.Accordingly, while the present invention has been described herein indetail in relation to one or more preferred embodiments, it is to beunderstood that this disclosure is only illustrative and exemplary ofthe present invention and is made merely for the purpose of providing afull and enabling disclosure of the invention. The foregoing disclosureis not intended to be construed to limit the present invention orotherwise exclude any such other embodiments, adaptations, variations,modifications or equivalent arrangements, the present invention beinglimited only by the claims appended hereto and the equivalents thereof.

1. A method of providing network communications, comprising the stepsof: (a) detecting, at a device, a request for a network connection froman application running on the device; (b) spawning a first virtualmachine for a network connection that virtualizes network capabilitiesof the device such that a first virtual network connection is provided;(c) spawning a second virtual machine for a network connection thatvirtualizes network capabilities of the device such that a secondvirtual network connection is provided; (d) using the first virtualnetwork connection, establishing a first connection with another deviceover a first network path; (e) using the second virtual connection,establishing a second connection with the other device over a secondnetwork path; (f) determining that the second network path represents atrusted path; (g) determining that a first packet does not need to berouted via a trusted connection; (h) transmitting the first packet usingthe first virtual network connection for communication via the firstnetwork path; (i) determining that a second packet needs to be routedvia a trusted connection; and (j) transmitting the second packet usingthe second virtual network connection for communication via the secondnetwork path.
 2. The method of claim 1, wherein the step of transmittingthe first packet using the first virtual network connection forcommunication via the first network path is performed at least partiallyin response to the step of determining that the first packet does notneed to be routed via a trusted connection.
 3. The method of claim 1,wherein the step of transmitting the second packet using the secondvirtual network connection for communication via the second network pathis performed at least partially in response to the step of determiningthat the second packet needs to be routed via a trusted connection. 4.The method of claim 1, wherein the first virtual machine is spawned inresponse to the request for a network connection from the applicationrunning on the device.
 5. The method of claim 1, wherein the secondvirtual machine is spawned in response to the request for a networkconnection from the application running on the device.
 6. The method ofclaim 1, wherein said step (d) comprises selecting a first routingprotocol from among a plurality of available routing protocols.
 7. Themethod of claim 6, wherein the plurality of available routing protocolsincludes the Interior Gateway Routing Protocol (IGRP), the EnhancedInterior Gateway Routing Protocol (EIGRP), the Border Gateway Protocol(BGP), and the Constrained Shortest Path First (CSPF) protocol.
 8. Themethod of claim 6, wherein said step (h) comprises transmitting thefirst packet using the first virtual machine with the selected firstrouting protocol.
 9. The method of claim 1, wherein said step (d)comprises selecting an initial node of the first network path.
 10. Themethod of claim 9, wherein the selection of an initial node is based atleast partially on network information stored at the device.
 11. Themethod of claim 10, wherein the method further includes a step ofquerying one or more nodes of a network for network information.
 12. Themethod of claim 11, wherein the method further includes receiving thenetwork information from the one or more nodes and generating a routingtable based on the network information.
 13. The method of claim 1,wherein the application is a computer game.
 14. The method of claim 1,wherein the device comprises a computer.
 15. The method of claim 14,wherein the computer includes a plurality of processing cores.
 16. Themethod of claim 1, wherein the device is a mobile phone.
 17. A method ofproviding network communications, comprising the steps of: (a)determining, at a device using application-specific informationassociated with an application running on the device, that a firstpacket needs to be transmitted via a trusted path, and, in response tosuch determination, transmitting the first packet to another device overa first network path via a first virtual network connection thatvirtualizes network capabilities of the device; and (b) determining, atthe device using application-specific information associated with anapplication running on the device, that a second packet does not need tobe transmitted via a trusted path, and, in response to suchdetermination, transmitting the second packet to another device over asecond network path via a second virtual network connection thatvirtualizes network capabilities of the device.
 18. The method of claim17, wherein the device is a computer.
 19. The method of claim 17,wherein the device is a mobile phone.
 20. A device, the devicecomprising: (a) a processor; (b) one or more network adapters providingnetwork capabilities; (c) one or more computer readable media containingcomputer executable instructions configured to (a) determine, at adevice using application-specific information associated with anapplication running on the device, that a first packet needs to betransmitted via a trusted path, and, in response to such determination,transmitting the first packet to another device over a first networkpath via a first virtual network connection that virtualizes networkcapabilities of the one or more network adapters of the device; and (b)determine, at the device using application-specific informationassociated with an application running on the device, that a secondpacket does not need to be transmitted via a trusted path, and, inresponse to such determination, transmitting the second packet toanother device over a second network path via a second virtual networkconnection that virtualizes network capabilities of the one or morenetwork adapters of the device.